8.1 SaltStack的使用
三大主要功能:远程执行、配置管理、云管理
运行方式:local、Master/Minion、Salt SSH
SaltStack 采用 C/S模式,server端就是salt的master,client端就是minion,minion与master之间通过ZeroMQ消息队列通信。minion上线后先与master端联系,把自己的pub key发过去,这时master端通过salt-key -L命令就会看到minion的key,接受该minion-key后,也就是master与minion已经互信,master可以发送任何指令让minion执行了。
salt-master服务启动后会开启两个端口:4505和4506,minion没有端口,通过“双向密钥交换”(可通过tree /etc/salt/pki命令查看)来实现安全管理。salt-master每执行一条命令,所有minion均可收到。
8.1.1 SaltStack 安装运行
master服务端操作系统:
[root@centos ~]# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
[root@centos ~]# uname -r
3.10.0-862.3.2.el7.x86_64
master服务端安装配置:IP:192.168.31.55/24
额外设置:CentOS安装python3:
yum install zlib* -y
yum install openssl-devel
wget https://www.python.org/ftp/python/3.6.5/Python-3.6.5.tgz
tar zxvf Python-3.6.5.tgz
cd Python-3.6.5
./configure --with-ssl
make
make install
# 如果是软连接,可以直接删除
mv /usr/bin/python /usr/bin/python2
ln -s /usr/local/bin/python3.6 /usr/bin/python
# 修改Yum,使yum依然有效,yum依靠老版本的python
vi /usr/bin/yum
# 将上面文件中的第一行修改:
#!/usr/bin/python 修改为#!/usr/bin/python2
vi /usr/libexec/urlgrabber-ext-down
# 将上面文件中的第一行修改:
#!/usr/bin/python 修改为#!/usr/bin/python2
saltstack的安装可以参阅官方文档:https://repo.saltstack.com/
通常安装方式为:
sudo apt-get install salt-master
sudo apt-get install salt-minion
sudo apt-get install salt-ssh
sudo apt-get install salt-syndic
sudo apt-get install salt-cloud
sudo apt-get install salt-api
或:
sudo yum install salt-master
sudo yum install salt-minion
sudo yum install salt-ssh
sudo yum install salt-syndic
sudo yum install salt-cloud
sudo yum install salt-api
安装后修改配置文件:
cd /etc/salt/master.d/
# 修改文件
vi eauth.conf
external_auth:
pam:
saltapi:
- .*
- '@wheel'
- '@runner'
# 创建文件
vi api.conf
rest_cherrypy:
port: 8000
# 修改minion中master的IP地址
sed -i 's/#master: salt/master: 192.168.31.55/g' /etc/salt/minion
# 启动
systemctl start salt-master
systemctl start salt-minion
systemctl start salt-api
minion客户端操作系统:IP:192.168.31.55/24
root@liu-ubuntu:~# cat /etc/issue
Ubuntu 16.04.4 LTS \n \l
root@liu-ubuntu:~# uname -r
4.13.0-43-generic
minion客户端安装配置:
apt-get install salt-minion -y
sed -i 's/#master: salt/master: 192.168.31.55/g' /etc/salt/minion
root@liu-ubuntu:~# /etc/init.d/salt-minion start
[ ok ] Starting salt-minion (via systemctl): salt-minion.service.
8.1.2 SaltStack常用命令参数
[root@centos ~]# salt-key -L
Accepted Keys:
centos
Denied Keys:
Unaccepted Keys:
liu-ubuntu
Rejected Keys:
[root@centos ~]# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
liu-ubuntu
Proceed? [n/Y] y
Key for minion liu-ubuntu accepted.
[root@centos ~]# salt-run manage.up
- centos
- liu-ubuntu
[root@centos ~]# salt-run manage.status
down:
up:
- centos
- liu-ubuntu
# 关掉master端的salt-minion服务
[root@centos ~]# systemctl stop salt-minion
[root@centos ~]# salt-run manage.status
down:
- centos
up:
- liu-ubuntu
| 常用命令参数 | 命令说明 |
|---|---|
| salt-key -L | 查看minion列表 |
| salt-key -A | 同意接管所有的minion |
| salt-key -a | 同意接管指定的一个minion |
| salt-key -D | 删除所有认证的minion |
| salt-key -d | 删除指定的minion |
| salt-run manage.up | 查看存活的minion |
| salt-run manage.down | 查看死掉的minion |
| salt-run manage.status | 查看minion的相关状态 |
| salt-run manage.versions | 查看salt的所有master和minion的版本信息 |
| salt -d | 查看帮助文档 |
| salt '*' sys.doc | 查看帮助文档 |
| salt '*' service.get_all | 获取minion所有服务 |
| salt '*' service.reload sshd | 重新加载sshd服务 |
| salt '*' pkg.list_pkgs | 显示软件包版本列表 |
| salt '*' pkg.version python | 显示软件包版本信息 |
| salt '*' pkg.install httpd | 安装软件包 |
| salt '*' service.status mysql | 查看mysql服务状态 |
| salt '*' service.start mysql | 启动mysql服务 |
| salt '*' sys.list_modules | 模块列表 |
| salt-cp '*' /etc/hosts /etc/hosts | 分发hosts文件到所有minion端 |
| salt '*' file.copy /tmp/zabbix.sls /tmp/sls | 把服务端对应文件拷贝到minion端相应目录下 |
| salt '*' cp.get_dir salt://zabbix /tmp | 把服务端对应目录拷贝到minion端相应目录下 |
8.1.3 远程执行
cmd.shell远程执行命令
[root@centos ~]# salt 'liu-ubuntu' cmd.shell 'ls -l'
liu-ubuntu:
total 132
-rwxr--r-- 1 root root 64 Jun 4 09:51 01-argv.py
-rwxr-xr-x 1 root root 137 Jun 4 10:47 02-stdinout.py
-rwxr-xr-x 1 root root 232 Jun 4 10:59 03-sysexit.py
-rwxr-xr-x 1 root root 135 Jun 4 11:07 04-getpass.py
-rwxr-xr-x 1 root root 747 Jun 4 11:37 05-configparser.py
-rwxr-xr-x 1 root root 255 Jun 4 13:54 06-argparse.py
-rwxr-xr-x 1 root root 655 Jun 4 14:38 07-log.py
-rwxr-xr-x 1 root root 203 Jun 4 22:03 08-fnmatch.py
-rwxr-xr-x 1 root root 63 Jun 4 23:18 09-glob.py
-rwxr-xr-x 1 root root 193 Jun 4 23:30 10-walk.py
-rwxr-xr-x 1 root root 236 Jun 5 09:33 11-filecmp.py
-rwxr-xr-x 1 root root 155 Jun 5 10:00 12-tarfile.py
-rwxr-xr-x 1 root root 154 Jun 5 10:01 13-tarfile2.py
-rwxr-xr-x 1 root root 136 Jun 5 10:19 14-sprun.py
-rwxr-xr-x 1 root root 176 Jun 5 10:45 15-sppopen.py
-rwxr-xr-x 1 root root 311 Jun 5 15:06 16-psutil.py
-rwxr-xr-x 1 root root 329 Jun 5 15:49 17-pyinofify.py
-rwxr-xr-x 1 root root 949 Jun 5 16:53 18-mysql.py
-rwxr-xr-x 1 root root 523 Jun 17 22:59 19-sendmail.py
-rwxr-xr-x 1 root root 743 Jun 18 10:57 20-sendattmail.py
-rwxr-xr-x 1 root root 978 Jun 18 15:38 21-pop3.py
-rwxr-xr-x 1 root root 290 Jun 24 10:13 22-nmap.py
-rw-r--r-- 1 root root 264 Jun 24 00:23 Dockerfile
drwxr-xr-x 2 root root 4096 Jun 5 09:21 a
drwxr-xr-x 2 root root 4096 Jun 5 10:02 allpy
drwxr-xr-x 2 root root 4096 Jun 5 09:22 b
-rw-r--r-- 1 root root 24 Jun 5 08:41 file1
-rw-r--r-- 1 root root 23 Jun 5 08:41 file2
-rw-r--r-- 1 root root 23 Jun 5 09:16 file3
-rw-r--r-- 1 root root 162 Jun 5 15:04 test.conf
-rwxr--r-- 1 root root 70 Jun 3 10:24 test.py
-rw-r--r-- 1 root root 10 Jun 21 23:42 test.txt
drwxr-xr-x 2 root root 4096 Jun 24 00:31 www
测试到客户端的连通性
[root@centos ~]# salt '*' test.ping
liu-ubuntu:
True
centos:
Minion did not return. [Not connected]